A Logic for Application Level QoS - CORE · A Logic for Application Level QoS 1,2 Dan Hirscha Alberto Lluch-Lafuentea Emilio Tuostob a Dipartimento di Informatica, University of Pisa

A Logic for Application Level QoS 1 ,2

Dan Hirscha Alberto Lluch-Lafuentea Emilio Tuostob

a Dipartimento di Informatica, University of Pisab Computer Science Department, University of Leicester

Abstract

Service Oriented Computing (SOC) has been proposed as a paradigm to describe computations ofapplications on wide area distributed systems. Awareness of Quality of Service (QoS) is emergingas a new exigency in both design and implementation of SOC applications.We do not refer to QoS aspects related to low-level performance and focus on those high-level non-functional features perceived by end-users as application dependent requirements, e.g., the price ofa given service, or the payment mode, or else the availability of a resource (e.g., a file in a givenformat).In this paper we present a logic which includes mechanisms to consider the three main dimensionsof systems, namely their structure, behaviour and QoS aspects. The evaluation of a formula is avalue of a constraint-semiring and not just a boolean value expressing whether or not the formulaholds. This permits to express not only topological and temporal properties but also QoS propertiesof systems.The logic is interpreted on SHReQ, a formal framework for specifying systems that handles abstracthigh-level QoS aspects combining Synchronised Hyperedge Replacement with constraint-semirings.

Keywords: Service oriented computing, synchronized hyperedge replacement, quality of service,logic, c-semirings

1 Introduction

Service Oriented Computing (SOC) is an emerging paradigm to describe com-putations of Service Oriented Applications (SOAs) running on wide area dis-tributed systems. Such systems are very complex and constituted by a var-ied flora of architectures that typically are heterogeneous, geographically dis-

1 Partially supported by the Project EC FET – Global Computing 2, IST-2005-16004 Sensoria and theEC RTN 2-2001-00346 SegraVis (Syntactic and Semantic Integration of Visual Modelling Techniques).2 Email: {dhirsch, lafuente}@di.unipi.it, [email protected]

Electronic Notes in Theoretical Computer Science 153 (2006) 135–159

1571-0661 © 2006 Elsevier B.V.

www.elsevier.com/locate/entcs

doi:10.1016/j.entcs.2005.10.036Open access under CC BY-NC-ND license.

http://www.elsevier.com/locate/entcshttp://creativecommons.org/licenses/by-nc-nd/3.0/

tributed and usually exploit communicating infrastructures whose topologyfrequently varies and to which components can, at any moment, connect to ordetach from. Web services and GRID services may be regarded as SOC andthey are receiving particular attention both from academia and industry.

An ambitious goal for SOAs is the automatization of the search-bind cycleso that applications can dynamically choose the “best” service available dur-ing the computation. Since the programmer does not completely control theservices that her application invokes, it is reasonable to allow her to use declar-ative mechanisms for expressing the “minimal” requirements on the executionenvironment.

Recently, awareness of Quality of Service (QoS) is emerging as a new ex-igency in both design and implementation of SOAs. Remarkably, we do notrefer to QoS aspects related to low-level performance (as typical, e.g., in thecommunity of operating or communication systems). On the contrary, we areconcerned with those high-level non-functional features that might interestapplications and mainly regard the end-users who perceive QoS not only inconnection with low-level performance but as application dependent require-ments, e.g., the price of a given service, or the payment mode, or else theavailability of a resource (e.g., a file in a given format). In the rest of thepaper, we intend the acronym QoS to denote application-level QoS.

SOC can be naturally modelled by means of graph-based techniques, whereedges represent components and nodes model the communication infrastruc-ture. Edges sharing a node correspond to components that may interact.System states are modelled as graphs and computations correspond to graph-rewritings. Among other proposals, hypergraphs and Synchronised HyperedgeReplacement (SHR, for short) have been proposed for modelling distributedsystems [9,15] as a natural declarative framework.

A framework based on SHR called SHReQ has been introduced in [19];SHReQ handles abstract high-level QoS aspects expressed as constraint-semi-rings [3] (c-semirings, for short). Interactions among components are ruledby synchronising them on events that are c-semiring values too. In this way,c-semirings provide both the mathematics for multi-criteria QoS and the un-derlying synchronisation policies. Intuitively, the programmer declares thebehaviour of each edge L by specifying a set of productions. A productionfor L imposes requirements to the attachment nodes of L in order to replaceit with a new hypergraph. Such requirements are expressed as elements ofa c-semiring and are interpreted as the contribution of L to the synchroni-sation. Synchronising requirements is the basic coordination mechanism ac-counting for evolution of systems and corresponds to the product operation ofc-semirings.

D. Hirsch et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 135–159136

In this paper we equip SHReQ with a logic which includes mechanisms toconsider the three main dimensions of our systems, namely structure of graphs,behaviour (graph rewriting) and QoS. Structural aspects are specified usingoperators inspired by a spatial logic for graphs (GL) [7], while behaviouralones are tackled with a well-known temporal logic, namely μ-calculus [16].The way the QoS is handled follows the approach of already existing graphand temporal logics for reasoning about QoS in graphs [17] and transitionsystems [21]. Significant fragments of both logics have been shown to bedecidable (for finite systems) and model checking algorithms presented [21].A significant fragment consists of the case when the c-semiring is a distributivelattice which occurs when the multiplicative operation is idempotent. In suchcases our full logic can be shown to be decidable. We have adapted thesemantics for the SHR framework of SHReQ, since the original logics aredefined for simple graphs and transition systems. Formulae are not interpretedas boolean values, but over the domain of the c-semiring modelling the QoS.In other words, the value of a formulae is not just true or false, but a c-semiring value expressing the level of satisfiability of a formula. In that mannerone can express the concepts like the QoS level of a path between two givennodes instead of simply expressing whether such a path exists or not. Theexpressivity and complexity of our logic in general will be subject of futureresearch.

Structure of the paper: Sections 2, 3 and 4 describe SHReQ together witha running example. Section 5 introduces the logic for SHReQ and applies itto the running example. Final remarks are in Section 6.

2 Syntax of Graphs

Given a set of labels L ranged over by L and a set of nodes N , a hyperedgeL(x1, ..., xn) connects nodes x1, . . . , xn ∈ N , where L has rank n (writtenL : n). We say that x1, ..., xn are the attachment nodes of L(x1, ..., xn). Hy-pergraphs are built from ranked hyperedges in L and nodes in N .

Notation 2.1 In the following, given a set X ranged over by x, we writex to denote vectors over X. The i-th component of x is denoted by xi and

{|x|}def=

⋃i∈{1,...,|x|} {xi} and |x| is the length of x.

Definition 2.1 [Hypergraphs] A hypergraph is a term of the following gram-mar

G ::= nil∣∣ L(x) ∣∣ G | G,

where L : |x| is a hyperedge.

D. Hirsch et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 135–159 137

Hereafter, we call hypergraphs (hyperedges) simply graphs (edges) andwrite L(x) with the implicit assumption that L : |x|. The grammar in Defi-nition 2.1 permits generating the empty graph (denoted by nil), graphs witha single edge and graphs built by the parallel composition of graphs. We usen(G) to denote the set of nodes of G. Differently from [19], we neglect noderestriction for the sake of simplicity and an easier introduction of the logic.

•b

L

��

�

��

��

•a •c(a) A hyperedge

•x

L

��

�

��

�� M

��

•y •z(b) A hypergraph

Fig. 1. Hypergraphs

Example 2.2 Figure 1(a) represents the hyperedge L(a, b, c) where wires con-necting nodes a, b and c to L are called tentacles. The arrowed tentacle in-dividuates the first attachment node. Moving clockwise determines the othertentacles. Figure 1(b) depicts graph G = L(y, x, z) | M(x, z).

Structural congruence over graph terms avoids cumbersome parenthesis.

Definition 2.3 [Structural Congruence] The structural congruence is the small-est binary relation ≡ over graph terms that obeys the following axioms:

(G1 | G2) | G3 ≡ G1 | (G2 | G3), G1 | G2 ≡ G2 | G1, G | nil ≡ G

The axioms define associativity, commutativity and identity (nil) for op-eration |, respectively.

2.1 The Ring Case Study

In the following sections we exemplify the different topics introduced by meansof a running example where “rings” of different sizes are connected by gatesyielding a network of rings. A ring consists of a number of nodes connectedby some edges forming a cycle and the size of a ring is the number of nodesin it; we write n-ring for a ring of size n.

We assume that a network of rings can become bigger in two ways: byincreasing the size of rings or by creating new rings. A ring can augment itssize by “consuming” some resources so that the evolution of the network allowsrings to increase their size while some resources are available. Also, rings candecide (again depending on resources availability) to create new rings allowing


the expansion of the network. Newly created rings can initially have differentsizes.

In Figure 2, rings are represented as nodes connected by hyperedges la-belled by R and it shows a network with three rings, where the 4-ring isconnected with two rings of size two.

R��

R �� • R��

R��

• l • G�� • l • G �� • l •

R

��

l

��

l

��R

R

R

��

l

•

Fig. 2. A network instance

Hyperedges labelled with l (l-edges) prohibit new gates to be attachedon the node they insist on; such nodes are called limited nodes. As will bemade clearer later, on new ring creation, l-edges will be attached to the nodesconnected by gate edges (labelled G in Figure 2) avoiding new gates fromthose nodes. For example, in Figure 2 only the 2-rings can create (gates to)new rings. The nodes with no l-edges, can be used to generate new rings andwill be weighted by the amount of resource available for their evolution (seeSection 3.3).

3 Graphs and productions for SHReQ

This section describes SHReQ [19], a calculus based on SHR where c-semiringvalues are embedded in the rewriting mechanism. In [14], c-semirings havebeen exploited as a mathematical abstraction for application-level QoS sincetheir algebraic properties can naturally describe QoS values and the usualoperations on them. In [20] SHR with mobility of nodes has been gener-alised by parameterising the rewriting mechanism with respect to a synchro-nisation algebra with mobility. In [19], SHReQ took advantage of the ideasin [14,20] exploiting hypergraphs and SHR with mobility for modelling sys-tems (as in [18,25]) and c-semirings as synchronisation algebras. Hence, therewriting mechanism of SHReQ is parameterised with respect to a given c-semiring. Basically, values of c-semirings are synchronisation actions so thatsynchronising corresponds to operating on c-semiring values. Moreover, a hy-


pergraph modelling a system is decorated with c-semiring values on its nodesin order to record quantitative information on the computation of the system.A formal connection can be traced between synchronisation algebras in thesense of [20] and c-semirings, however, this connection is left as future work.

Here, we consider a simplified presentation of SHReQ where mobility is notconsidered and, as stated in Section 2, without node restriction for graphs.The first simplification reduces the reconfiguration expressiveness of rewritingsystems (i.e., the expressive power is reduced by disallowing node fusion) andthe second one simplifies the presentation of the inference system in Table 1(and the derived proofs). However, these restrictions do not affect the use ofc-semiring values as synchronization actions and help in a clearer introductionof the logic in Section 5, which is our main concern here. For the treatmentof node mobility in SHReQ and in SHR, the interested readers are referredto [19] and to [18,20,25], respectively.

3.1 Weighted graphs

Components (i.e., hyperedges in SHR) impose requirements on their neigh-bours when participating into a rewriting step. We use c-semirings to expressthose requirements so that rewriting takes into account quantitative informa-tion on computations. C-semirings have two distinguishing features that arevery useful in our context. First, the Cartesian product of c-semirings is stilla c-semiring, hence we can uniformly deal with different types of quantities.Second, the operations of c-semirings provide a partial order on the values anda mechanism of choice. These features make c-semirings suitable for reasoningabout multi-criteria QoS issues [14].

Definition 3.1 [C-semiring [3]] An algebraic structure 〈S, +, ·, 0, 1〉 is a con-straint semiring if S is a set (0, 1 ∈ S), and + and · are operations on Ssatisfying the following properties:

• + : 2S → S is defined over (possibly infinite) sets of elements of S asfollows 3 :

∑{a} = a,

∑∅ = 0,

∑S = 1 and

∑(∪Si) =

∑{∑

Si}, forSi ⊆ S, i ≥ 0.

The fact that + is defined over sets of elements, automatically assumesit to be associative, commutative and idempotent. Moreover, 0 is its unitelement and 1 is its absorbing element (i.e., a + 1 = 1, for any a ∈ S);

• · is commutative, associative, distributes over +, 1 is its unit element, and0 is its absorbing element (i.e., a · 0 = 0, for any a ∈ S). In the rest of

3 When + is applied to a set with two elements we use + as binary operator in infixnotation, while in all other cases we use symbol

∑in prefix notation.


the paper we assume that · is defined over infinite sequences too and usethe symbol

∏in postfix notation. Most of the c-semirings used in practice

satisfy this.

To enhance readability, operation + is called the additive operation and ·is called the multiplicative operation. The additive operation of a c-semiringinduces a partial order on S defined as a ≤S b ⇐⇒ a + b = b. a ≤S b meansthat a is more constrained than b (or that b ”is better than” a). Also, it canbe shown [3] that +, · are monotone over ≤S, the minimal element is 0 andthe maximal 1, and 〈S,≤S〉 is a complete lattice.

In some instances of a c-semiring, the multiplicative operation is idempo-tent. This implies, among other things, that + distributes over · and 〈S,≤S〉is a distributive lattice [3]. In this case, the greatest lower bound (noted as�

) corresponds to the multiplicative operation of the c-semiring (the additiveoperation already corresponds to the least upper bound of a complete lattice).

Example 3.2 The following examples introduce some c-semirings togetherwith their application as the formal structure of many QoS attributes.

• The boolean c-semiring 〈{true, false},∨,∧, false, true〉 can be used to modelnetwork and service availability.

• The optimization c-semiring 〈R+, min, +, +∞, 0〉 and the tropical c-semiring〈N+, min, +, +∞, 0〉 apply to a wide range of cases, like prices or propaga-tion delay.

• The max/min c-semiring 〈R+, max, min, 0, +∞〉 can be used to formalizebandwidth, or also the c-semiring over the naturals 〈N+, max, min, 0, +∞〉can be applied for resource availability.

• Performance can be represented by means of the probabilistic c-semiring〈[0, 1], max, ·, 0, 1〉 or the fuzzy one 〈[0, 1], max, min, 0, 1〉.

• The set-based c-semiring 〈2N ,∪,∩, ∅, N〉 (where N is a set), can be used forcapabilities and access rights.

• Security degrees are modeled via the c-semiring 〈[0, 1, . . . , n], max, min, 0, n〉,where n is the maximal security level (unknown) and 0 is the minimal one(public).

Example 3.3 As a special case, we can also define c-semirings specifyingspecific synchronisation mechanisms (for example Hoare, Milner, or Broadcastsynchronisation 4 ). In this way, we are able to define a general synchronisationpolicy as a unique c-semiring that combines (using the cartesian product)

4 See [19] for an example using a Broadcast c-semiring.


a classical synchronisation algebra with the QoS aspects of interest. Thefollowing c-semiring corresponds to Hoare synchronisation.

Given a set of actions Act, we define H = Act ∪ {1H , 0H ,⊥}. The Hoarec-semiring on H is 〈H, +H, ·H , 0H , 1H〉 specified as:

∀a ∈ Act. a · a = a (1)

∀a, b ∈ Act ∪ {⊥} : b �= a =⇒ a · b =⊥ (2)

plus commutative rules and the ones for 0 and 1. (3)

The operation +H is obtained by extending the c-semiring axioms for theadditive operation with a +H a = a, for all a ∈ H and a +H b =⊥, for alla, b ∈ Act ∪ {⊥} such that b �= a.

With Hoare synchronisation, a synchronisation can take place only whenall components attached to the corresponding synchronisation point agree ontheir actions (i.e., each of these components impose an action and they are allthe same). This is reflected in the Hoare c-semiring multiplicative equations.

Hereafter, we assume a fixed c-semiring 〈S, +, ·, 0, 1〉.

Definition 3.4 [Weighted graphs] A weighted graph is a pair Γ � G of agraph G and a weighting function Γ mapping a finite set of nodes to S suchthat n(G) ⊆ domΓ.

A weighted graph is a graph having values in S associated to its nodes. Wewrite x1 : s1, . . . , xn : sn � G for the weighted graph whose weighting functionmaps xi to si, for any i ∈ {1, . . . , n}, with the implicit assumption that nodesxi are all distinct and n(G) ⊆ {x1, . . . , xn}. If x �∈ domΓ, function Γ, x : s isthe extension of Γ on x.

3.2 Productions for weighted graphs

The classical SHR approach is a declarative framework where the behaviour ofan edge is specified via a set of productions describing the graph to be replacedfor the edge, provided that some requirements are satisfied by the surrounding

environment. A production takes the form p : L(x)Λ−→ G where L(x) is a

hyperedge, G a hypergraph and Λ specifies the requirements. Roughly, pstates that, in a given graph, an edge labelled L can be replaced by G providedthat the environment satisfies requirements Λ. Productions of SHReQ have aslightly different definition and interpretation.


Definition 3.5 [Productions] Given a tuple of pairwise distinguished nodes

x and a graph G such that {|x|} ⊆ n(G), χ � L(x)Λ−→ G is a production iff

• L is an edge label of arity |x|;

• χ : {|x|} → S is the applicability function;

• Λ : {|x|} → S is the communication function.

A SHReQ production, or simply production, χ � L(x)Λ−→ G states that,

in order to replace L with G in a graph H , the graph H must satisfy theconditions expressed by the applicability function χ on the attachment nodesof L. Once χ is satisfied in H , L “contributes” to the rewriting by offeringΛ in the synchronisation with the other edges connected to its attachmentnodes. As will be made clearer later, χ expresses the minimal requirementthat the execution environment must satisfy in order to apply the production.Finally, it is understood that the new nodes appearing in G can be freelyrenamed (avoiding name-capturing of the nodes in x); moreover, nodes xare considered local to the production and can be renamed with fresh namesthrough the whole production.

We remark that, in χ � L(x)Λ−→ G, c-semiring values play different roles

in χ and Λ: in the former, they are interpreted as the minimal requirementsthat the environment must satisfy for applying the production; in Λ they arethe “contribution” that L yields to the synchronisation with the surroundingedges.

3.3 C-semirings and productions for the ring case study

Productions for the running example of Section 2.1 rely on the c-semiring Rgiven by the cartesian product of the Hoare c-semiring 〈H, +H , ·H, 0H , 1H〉,where H = {a, b, c, 1H , 0H ,⊥} and 〈N+, max, min, 0, +∞〉, the max/min c-semiring (Example 3.3 and 3.2). The former coordinates the network rewrit-ings and the latter represents resource availability, indeed the product ofmax/min (i.e., min) computes the residual availability of resources. Theunit of the multiplication (resp. addition) of R is 1 = (1H , +∞) (resp.0 = (0H , 0)). Moreover, weights on nodes will determine when a new ringis created.

The idea is that the network starts from an initial graph representing aring with a number of (non-limited) nodes with weights (1H , u) where valueu is the maximal amount of available resource. For simplicity, all nodes innewly created rings initially contain the same value u. The limited nodescreated during ring evolution are weighted with (b, +∞) which is constantlymaintained.


Create Brother (n < u)

•x

• (a,n)x R

R

−→ •z l

• (α,+∞)y R

•y

x : (0H , u),y :0 � R(x,y)

(x, (a, n))

(y, (α, +∞))−−−−−−−→ R(x,z) | R(z,y) | l(z)

Accept Syncrhonisation R Accept Syncrhonisation l

• (b,+∞)x •x

R

−→ R

• (α,+∞)y •y

• (b,+∞)x •x

l −→ l

x : (0H , +∞),y :0 � R(x,y)

(x, (b, +∞))

(y, (α, +∞))−−−−−−−→ R(x,y) x :0 � l(x)

(x,(b,+∞))−−−−−−→ l(x)

where α ∈ {a, b}

Fig. 3. Productions for ring evolution

Figure 3 and Figure 4 show the productions for the case study giving bothtextual and graphical representation (drawings are simplified by not represent-ing the applicability functions that appears in the textual representation). Ac-tually, most of them are production schemas corresponding to a set of similarproductions. For example, α ranges over actions {a, b} and Create Brotheris a production schema where n < u.

Figure 3 contains productions modelling the ring evolution while Figure 4contains productions for the creation and initialization of a gate and a newring. Detailed comments on the productions follow.

Schema Create Brother increases the size of the ring by adding a R-edge as represented in the graph on the right-hand-side. The applicabilitycondition on x, (x :0H , u), means that the graph weight in matching node ofx must be greater than or equal to u (i.e., there is at least a resource value uavailable). Then, edge R(x, y) imposes on node x an action (a, n) such thatu has to be greater than n. Action a assures that the production can only beapplied over non limited nodes since the only production for l-edges imposesaction b, which cannot synchronise with a. Notice that node z is a new limitednode since a l-edge is connected to it. These productions apply regardless ofy being a limited node or not.

Schema Accept Synchronization R is used to agree to synchronisationwith the rings in charge of creating new components. In this way, only oneof the R-edges connected to a non limited node creates a new component.The result of synchronising on y for α = a (using Create Brother for the


Create Gate (r > 0)

• (a,+∞)x l •x

G �� •z

Rur ��R

−→ R

• (b,+∞)y •y

x : (0H , u),y :0 � R(x,y)

(x, (a, +∞))

(y, (b, +∞))

−−−−−−−→ R(x,y) | l(x) | G(z,x) | Rur (z,z)

Init Ring

(r > 0)

•x

• (c,u)x R

Rur

−→ •z

• (c,+∞)y Rur−1

•y

• (c,u)x •x

Ru0

−→ R

• (c,+∞)y •y l

x :0,y :0 � Rur (x,y)

(x, (c, u))

(y, (c, +∞))

−−−−−−−→ R(x,z) | Rur−1(z,y) x :0,y :0 � Ru0 (x,y)

(x, (c, u))

(y, (c, +∞))

−−−−−−−→ R(x,y) | l(y)

Accept Synchronisation Init Accept Synchronisation Gate

• (c,+∞)x •x

R

−→ R

• (c,+∞)y •y

• (β,+∞)x •x

G

−→ G

• (b,+∞)y •y

x :0,y :0 � R(x,y)

(x, (c, +∞))

(y, (c, +∞))−−−−−−−→ R(x,y) x :0,y :0 � G(x,y)

(x, (β, +∞))

(y, (b, +∞))−−−−−−−→ G(x,y)

where β ∈ {b, c}

Fig. 4. Productions for creating a new ring

neighbour) will be the product (a, n)·(a, +∞) = (a·Ha, min(n, +∞)) = (a, n).This result will be the new weight of the graph node matching y and representsthe remaining available resource. Note that the condition on x (x : (0H , +∞))assures that x must be a limited node. Finally, Accept Synchronization lsimply avoids that limited nodes create new brothers and gates.

Create Gate (r > 0) The previous (schema of) productions are used forring evolution. An edge R(x, y) where x is non limited and y is limited, canconsume the remaining resource on x to create from it a gate to a new ring.A value r is non-deterministically chosen as the size of the new ring and uis the initial weight of its nodes (edge Rur ). Once a new gate is connectedto x, it is converted into a limited node by adding an edge l(x). Note thatif all resources in a node are consumed using Create Brother, we arrive tothe base case u = 1 and Create Gate will be the only applicable productionallowing component synchronisation. It is worth noticing that while a gate iscreated, the rest of the ring can continue its evolution.


Schemas Init Ring inductively initialise a new ring to the intended sizeand to the initial weights of nodes (action (c, u) on node x). Action c avoidsapplying rules in Figure 3 as well as Create Gate until the ring has finishedthis phase. When the intended size of the ring is obtained (r = 0), Ru0 is turnedinto a R-edge and a l-edge is attached to the same node as the gate. At thispoint, we have r nodes with resource u and the l-edge can only synchronisewith action b, therefore, from now on only productions on Figure 3 and CreateGate can be used. Finally, Accept Synchronisation Init and AcceptSynchronisation Gate are used as for making R and G edges to allow ringinitialisation.

4 Synchronised Rewriting for SHReQ

SHReQ rewriting mechanism relies on c-semirings where additional structureis defined. More precisely, we require that there is a set NoSync ⊆ S suchthat ∀s ∈ S : ∀t ∈ NoSync : s · t ∈ NoSync and 0 ∈ NoSync. The intuition isthat NoSync is the set of values representing “impossible” synchronisations.In the case of the Hoare c-semiring (Example 3.3), set NoSyncH contains 0Hand ⊥ while for the cartesian product of the max/min and Hoare c-semiringsit is NoSync = {0,⊥} ∪ {(a, 0)|a ∈ Act} ∪ {(0H , n)|n ∈ N

+}.

Before giving SHReQ semantics, we establish some notational conventions.We let Ω be a finite multiset over N × S. We write multisets by listing the(occurrences of their) elements in square brackets, e.g. [a, a, b] is the multisetwith two occurrences of a and one of b where the order is not important, i.e.,[a, a, b] = [a, b, a] = [b, a, a]. Multiset membership and difference are expressedby overloading ∈ and \, respectively; the context will always clarify if we arereferring to sets or multisets. Multiset union is denoted by �; sometimes wealso write A � B to denote the multiset [a | a ∈ A] � [b | b ∈ B], where A orB is a set. Moreover,

• domΩ = {x ∈ N | ∃s ∈ S : (x, s) ∈ Ω};

• Ω@x = [(x, s) | (x, s) ∈ Ω];

• WΩ : domΩ → S WΩ : x �→∏

(x,s)∈Ω@x

s;

• for σ : N → N , Ωσ = [(σ(x), s) | (x, s) ∈ Ω].

4.1 SHReQ Semantics

The semantics of SHReQ is a labelled transition system specified with inferencerules given on top of quasi-productions.


Definition 4.1 [Quasi-productions] The set QP of quasi-productions on P isdefined as the smallest set containing P such that

χ � L(x)Ω−→ G ∈ QP

∧

y ∈ N \ new(G) =⇒ χ′ � L(x{y/x})Ω{y/x}−−−→ G{y/x} ∈ QP,

where x ∈ {|x|} and χ′ : {|x|} \ {x} ∪ {y} → S is defined as

χ′(z) =

⎧⎪⎪⎪⎨⎪⎪⎪⎩

χ(z), z ∈ {|x|} \ {x, y}

χ(x) + χ(y), z = y ∧ y ∈ {|x|}

χ(x), z = y ∧ y �∈ {|x|}.

Intuitively, quasi-productions are obtained by substituting nodes in pro-ductions and relaxing the condition that attachment nodes of the left-hand-side should be all different. When y is substituted for x, χ′ assigns to y eitherχ(x) + χ(y) or χ(x) depending whether y ∈ {|x|}; nodes z not involved in thesubstitution maintain their constraint χ(z).

Proposition 4.2 χ � L(x)Ω−→ G ∈ QP =⇒ domΩ = {|x|}.

Definition 4.3 [Communication and weighting] Let Ω : domΩ → S be thecommunication function induced by Ω defined, for (x, s) ∈ Ω as Ω(x) = WΩ(x).We say that Ω is defined (written as Ω ↓) iff

∀x ∈ domΩ : |Ω@x| > 1 =⇒ WΩ(x) �∈ NoSync.

Let Γ be a weighting function such that domΩ ⊆ domΓ and I ⊆ N \domΓ,the weighting function induced by Γ and Ω is ΓIΩ : domΓ ∪ I → S, defined as

ΓIΩ : x �→

⎧⎪⎪⎪⎨⎪⎪⎪⎩

1, x ∈ I

Γ(x), |Ω@x| = 1

WΩ(x), otherwise

For each x ∈ domΩ, Ω computes the requirements resulting from the syn-chronisation of requirements in Ω@x. More precisely, it multiplies the valuesaccording to the c-semiring multiplication. Condition (4.3) avoids synchro-nisations (and hence rewritings) when a value in NoSync is the result of thecomposition. The weighting function computes the new weights of graphsafter the synchronisations induced by Ω. New nodes (identified by set I)are assigned with 1, nodes x upon which no synchronisation took place (i.e.,


(ren)χ � L(x)

Ω−→ G ∈ QP Ω ↓ x ∈ domχ =⇒ χ(x) ≤ Γ(x)

Γ L(x)Ω−→ ΓIΩ G

(com)

x ∈ domΓ1 ∩ domΓ2 =⇒ Γ1(x) = Γ2(x)

Γ1 G1Λ1−→ Γ′1 G

′1 Γ2 G2

Λ2−→ Γ′2 G′2 Λ1 � Λ2 ↓

Γ1 ∪ Γ2 G1 | G2Λ1�Λ2−−−→ Γ1 ∪ Γ2

IΛ1�Λ2 G

′1 | G

′2

Table 1Hypergraph rewriting rules.

|Ω@x| = 1) maintain the old weight while those where synchronisations hap-pen (i.e., |Ω@x| > 1) are weighted according to the induced communicationfunction. We can now define the LTS of weighted graphs.

Definition 4.4 [Graph transitions] A SHR with QoS (SHReQ) rewriting sys-tem consists of a pair (QP , Γ � G), where QP is a set of quasi-productionson P and Γ � G is the initial weighted graph. The set of transitions of(QP, Γ � G) is the smallest set obtained by applying the inference rules inTable 1 where, I = n(G) \ domΓ.

Rule (ren) applies quasi-productions to weighted graphs provided that Ωis defined and that the weights on the graphs satisfy conditions χ, namely,χ(x) ≤ Γ(x), for all x ∈ domχ. Notice that the communication functionand weights in the conclusions are obtained as in Definition 4.3. Similarly,rule (com) yields the transition obtained by synchronising the transitions oftwo subgraphs, provided that the (proofs of the) subgraphs assume the sameweights on the common nodes.

4.2 SHReQ for the ring case study

Now, we show a derivation using productions in Figure 3 and Figure 4 basedon the SHReQ semantics (Table 1). This simple example shows how SHReQcan deal with system evolution affected by multiple ”dimensions” of quality.In section 5.3 we will use this example to present different properties usingthe logic for SHReQ.

Instead of a pedantic application of the formal rules, the graphical repre-sentation of the derivation is chosen to help intuition (the formal derivationcan easily be obtained by following the graphical representation). Figure 5presents a derivation starting with a 2-ring and ending with the graph inFigure 2. Tentacles are decorated with the synchronisation requirements im-posed by productions and nodes are decorated with their weights. For the


Ra,∞ a,3

•(1H ,5) • (1H ,5)

Ra,∞a,2

��

⇓ Creat Brother(u = 5, n = 2) × Creat Brother(u = 4, n = 3)

Ra,∞ b,∞�� •1

Rb,∞ a,∞

��•(a,2) • (a,3)

l

b,∞

R

a,∞

b,∞

l

b,∞

R

a,∞

b,∞

��•1

⇓ Creat Gate (r = 1, u = 2) × Creat Gate (r = 1, u = 3) × Accept∗

R �� •(b,∞)

R

��R21 c,2

�� c,∞��

•1

G b,∞c,∞�� • (a,∞) l •(a,∞) Gb,∞ c,∞ �� •1

R31c,∞ ��c,3

��

l

b, ∞ l

��

R

R

��l

•(b,∞)

⇓ Init Ring(r = 1, u = 2) × Init Ring(r = 1, u = 3) × Accept∗

Rc,∞ c,∞

��R �� •

(b,∞)

R

��R30c,∞ c,3

��• 1 •(c,2) G b,∞c,∞�� • (b,∞) l •(b,∞) Gb,∞ c,∞ �� • (c,3) •1

R20c,2

��c,∞

l

��b, ∞ l

��R

c,∞

��c,∞

R

R

��l

•(b,∞)

⇓ Init Ring(r = 0, u = 2) × Init Ring(r = 0, u = 3) × Accept∗

R

��R �� •

(b,∞)

R

��R

��• (c,2) l •

(c,∞)

G�� • (b,∞) l •(b,∞) G �� •(c,∞)

l •(c,3)

R

��

l

��l

R

��

R

R

��l

•(b,∞)

Fig. 5. A derivation

sake of clarity, node names are avoided as node position identifies them dur-ing rewriting. Between graphs, the names of the applied productions areindicated together with the instantiation of schema parameters. For the sakeof clarity, in the third and fourth graph, the center of the main ring containsa synchronisation action (b, +∞) indicating that all edge productions in the


main ring impose that action on the nodes.

The derivation starts from a ring of two components with resource value 5.Both components apply production Create Brother. The first one choosesu = 5 (satisfying condition 5 ≤ 5) and n = 2 (meaning that the resource tobe consumed is 3). Similarly, the second production chooses u = 4 (satisfyingcondition 4 ≤ 5) and in this case n = 3. Synchronised rewriting results in thesecond graph with four components (new nodes are limited). The resultingsynchronisation produces the new weights for the nodes (see second graph) as,

(a, 2) = (a, 2) · (a, +∞) = (a ·H a, min(2, +∞))

(a, 3) = (a, 3) · (a, +∞) = (a ·H a, min(3, +∞)).

In the second graph, the two components with the shadow box are the onlyones allowed to create brothers or gates. They use all the remaining resources(u = 2 and u = 3, respectively) to create gates to two 2-rings (r = 1); theother edges apply the Accept productions. The result of the rewriting stepis the third graph, where the new rings are ready to be initialised. Note thatthe two nodes in the main ring where gates are connected, now are limited.

The last two rewriting steps initialize the new rings with the Init pro-ductions, obtaining the final graph of Figure 2. Observe how the main ringremains the same applying Accept productions, and that, in the last step,productions Accept Synchronisation Init ensure that the weights on thenon limited nodes of the new rings are (c, 2) and (c, 3), respectively.

5 A Logic for SHReQ

In this section we describe the specification formalism of SHReQ, which con-sists of a spatio-temporal logic interpreted over c-semiring values.

Let F be the universe containing all the c-semiring functions Si → S,i ≥ 0. Set F obviously contains c-semiring addition and multiplication asbinary functions, and values as zero-adic functions.

5.1 Logic Syntax

Let VN be a set of node variables (disjoint from N and ranged over by u, v) andVR be a set of recursion variables (ranged over by r). Formulae of the graph


logic are generated by φ in the following grammar (remind Notation 2.1):

φ ::= nil | Γ(ξ) | L(ξ) | φ|φ | φ‖φ spatial operators

| f(φ, . . . , φ) c-semiring operators

| κu.φ node quantification

| u = v node equality

| [κ] φ temporal operator

| r(ξ) | (μr(u).φ)ξ | (νr(u).φ)ξ fixpoints

where L ⊆ L is a finite set of labels, ξ ranges over N ∪ VN , f ∈ F andκ ∈ {

∑,∏ �

}. Obviously, we require L : |ξ| for all L ∈ L; moreover, in thelast productions for φ, |ξ| = |u|. In addition, we impose the usual restrictionof r(ξ) to occur as operand of a monotone function or under an even number ofantimonotonic functions in order to guarantee that fixpoints are well defined.

Before giving a formal definition of the semantics of our logic, which is donein Section 5.2, we give an intuition of the different syntactic ingredients. Withnil we characterize graphs with no edges, Γ(ξ) is used to express the weightof nodes, while L(ξ) is used to state whether or not there is an edge with ξ asattachment nodes and with label contained in L. A decomposition of a graphG is an ordered pair of graphs G1, G2 such that G1 | G2 ≡ G. The set of alldecompositions of a graph G will be denoted by Θ(G). It is not hard to see thatthe size of Θ(G) is exponential in the number of edges of G. With φ1|φ2 werange over all decompositions (G1, G2) of the graph multiplying the evaluationof φ1 in G1 and the evaluation of φ2 in G2. To all such values, the additiveoperation is applied. As will be made clearer later, the spatial operator ||is dual to |. Node quantification evaluates φ for each node u of a graphand then quantifies using κ which is semiring addition, multiplication or glb.Node equality and c-semiring operations have a straightforward interpretation.The temporal operator [κ]φ applies κ to the values obtained by evaluating φafter one transition, and fixpoints with parameterized recursion have the usualmeaning (see [7], for instance). Observe that ingredients considered as dualsare necessary since the absence of a negation operator in c-semirings impedesto derive them from their duals [21]. For instance, a least fixpoint operatorcannot be obtained via the greatest fixpoint operator.

5.2 Semantics

The set of all weighted graphs is denoted by G (recall that we assume N , Land the c-semiring modeling QoS to be fixed). We consider a fixed SHReQ


rewriting system (QP, Γ � G) and interpret a formula as a mapping fromG into S, i.e., from the set of all weighted graphs into the domain of thec-semiring. Let σ : VN → N denote the name environment that maps nodevariables with nodes and let ρ be the usual propositional environment mappingrecursion variables into functions V ∗R → (G → S). With abuse of notation welet environments to be applied to actual names and mappings resulting inthe identity, and we abbreviate their application using postfix notation. Theinterpretation of formulae is as follows:

�nil�σ;ρ(Γ � G) = G ≡ nil�L(ξ)�σ;ρ(Γ � G) =

∑L∈L{G ≡ L(ξσ)}

�Γ(ξ)�σ;ρ(Γ � G) = (ξσ ∈ domΓ) · Γ(ξσ)�ξ = ξ′�σ;ρ(Γ � G) = ξσ = ξ′σ

�f(φ1, . . . , φn)�σ;ρ(Γ � G) = f(�φ1�σ;ρ(Γ � G), . . . , �φn�σ;ρ(Γ � G))�φ1|φ2�σ;ρ(Γ � G) =

∑(G1,G2)∈Θ(G)

{�φ1�σ;ρ(Γ � G1) · �φ2�σ;ρ(Γ � G2)}�φ1‖φ2�σ;ρ(Γ � G) =

∏(G1,G2)∈Θ(G)

{�φ1�σ;ρ(Γ � G1) + �φ2�σ;ρ(Γ � G2)}�κu φ�σ;ρ(Γ � G) = κx∈domΓ�φ�σ[x/u];ρ(Γ � G)�[κ] φ�σ;ρ(Γ � G) = κΓ�G Λ−→Γ′�G′�φ�(Γ′ � G′)�r(ξ)�σ;ρ(Γ � G) = rρ(ξσ)

�(μr(u).φ)ξ�σ;ρ(Γ � G) = lfp(λr′.λv.�φ�σ[v/u ],ρ[r�→r′])(ξσ)(Γ � G)�(νr(u).φ)ξ�σ;ρ(Γ � G) = gfp(λr′.λv.�φ�σ[v/u ],ρ[r�→r′])(ξσ)(Γ � G),

where κ ∈ {∑

,∏

,�}. All terms in the right hand side are interpreted over a

fixed c-semiring.

We now concisely describe the semantics of the logic described above.First, observe that some of the ingredients are purely boolean, in the sensethat they return either 1 or 0, which are interpreted as the truth or the falsity.This is indeed the case of nil, L(ξ), and ξ = ξ′. Formula nil characterisesgraphs with no edges, namely it holds for graphs structurally congruent tonil. Formulae like L(ξ) are used to reason about the structure of a graph: if agraph G consists of a single edge labelled with some label L ∈ L then the for-mula evaluates to 1 and otherwise to 0. Node equality is trivially interpretedas 1 if both nodes are equal and 0, otherwise.

Remaining formulae might evaluate to any c-semiring value, as far as sub-formulae of type Γ(ξ) are present. Such a formula evaluates to the QoS as-


sociated to a node ξσ but only if the node belongs to the graph where theformula is being evaluated, otherwise 0 is returned.

The interpretation of c-semiring functions is straightforward and noticethat the interpretation of 1 yields 1 for any graph.

The standard boolean interpretation of the spatial formula φ1|φ2 (resp.φ1||φ2) is that it evaluates to true for graphs that can be decomposed intotwo subgraphs one satisfying φ1 and the other φ2 (resp. one subgraph satisfiesφ1 or the other satisfies φ2 regardless the graph decomposition). In our logicthe semantics is given by substituting boolean conjunction (resp. disjunction)by c-semiring multiplication (resp. addition). Thus, in a graph G, φ1|φ2 isevaluated by considering all possible decompositions (G1, G2) of G. For eachdecomposition, φ1 and φ2 are evaluated in G1 and G2, respectively, and theresult is multiplied. All the values obtained are summed up. The value ofφ1||φ2 is obtained dually with respect to the addition and multiplication oper-ation of the c-semiring, i.e., for each decomposition, φ1 and φ2 are evaluatedin G1 and G2, and the result is summed up, and finally all the values obtainedare multiplied.

As already said, the main originality of c-semiring based logics is thatboolean operators and constants are substituted by c-semiring operations andconstants. This is also the case of node and next-time quantifiers. Boolean log-ics typically consider two forms of node and temporal quantification, namelyexistential and universal. C-semiring based logics substitute existential anduniversal quantification with semiring addition and multiplication, respec-tively. However, in addition, c-semiring based logics consider a third wayof quantifiying, namely the greatest lower bound (glb) operation of the im-plicit lattice. The main reason is that in c-semirings where the multiplicativeoperation is not idempotent the glb and the multiplicative operation do not co-incide, but one might be interested in considering both cases. A clear exampleis the tropical c-semiring, which can be used to model prices. In such systemsone could be interested, for instance, in expressing the cheapest (c-semiringaddition), the cumulation (c-semiring multiplication) or the most expensiveprice (c-semiring glb) amongst a set of services. Thus, for instance the valueof [κ]φ in a graph G is obtained by considering all possible transitions from Gto the resulting graphs G′, where φ is applied. Then, all the values obtainedare quantified using κ.

We now describe the semantic of fixpoints formulae. First of all, we con-sider closed formulae only. Therefore, when evaluating a fixpoint formula like(μr(u).φ) or (νr(u)).φ, function λr′.λv.�φ�σ[v/u ],ρ[r�→r′] is well defined [24] sinceevery variable is bound except for its two parameters which are (i) a mappingr′ of node vectors into functions with G as domain and S as co-domain, and


(ii) a vector v of nodes. Thus, a fixpoint is a function whose domain is theset of node vector and codomain is the set of mappings of G into S. Theapplication of a fixpoint to a vector of nodes produces a mapping of weightedgraphs into c-semiring values. We refer to [17] and [21] for a deeper discussionon these issues.

5.3 Applying the logic

We now illustrate our logic with a set of formulae expressing properties thatare interpreted over the example derivation in section 4.2. Note that someof the following properties are purely boolean in the sense that they evalu-ate either to 0 or to 1. In such cases we recommend readers to read theformulae in a boolean sense (considering 0 as False and 1 as True) and tointerpret c-semiring addition as disjunction or existential quantification andmultiplication as conjunction or universal quantification.

First, we define a formula that expresses that there is a path in a graphbetween two nodes u, v made of edges labelled by elements in L.

path(u, v, L) ≡ μr(u, v).(u = v) +∑

w

L(u, w)|r(w, v).

Formula path(u, v, L) states that, in a graph, there is a path from u to veither when u is exactly v (i.e., u = v) or when the graph can be decomposedin two subgraphs, one containing an arc from u to a node w and the other a

path from w to v, i.e.∑

w

L(u, w)|r(w, v).

A pair of nodes u, v belong to a ring whenever there are two disjoint pathsfrom u to v made of R-edges

ring(u, v) ≡ path(u, v, {R}) | path(v, u, {R}). (4)

Looking at Figure 5, we can see that as the ring formula is defined over a setcontaining label R, then its application over two nodes belonging to differentrings results in 0 because they are connected with a path that must containa G-edge.

A tree of rings is a tree where nodes are rings connected by G-edges. Fromformula (4) we can easily derive another one that characterizes trees of rings,by requiring that (5) every node is in a ring, (6) every node is reachable fromany other node, and (7) only two nodes in a ring can belong to a cycle:


tree≡∏u

ring(u, u) (5)

·∏u

∏v

path(u, v, {R, G}) + path(v, u, {R, G}) (6)

·∏u

∏v

(path(u, v, {R, G}) · path(v, u, {R, G})) → ring(u, v)) (7)

where → is equivalent to ≤S interpreted in a boolean way, but we use adifferent symbol to enhance the readability of the examples. For example, thefirst, second and last graphs in Figure 5 satisfy the three requirements of theformula. A graph with two gates connecting the same rings falsifies the thirdrequirement and a non connected graph falsifies the second one. This formulashows how to check the configuration consistency of the network.

Previous examples refer only to structural aspects. Now we state a prop-erty regarding temporal issues, namely that every non limited node will even-tually have a gate attached to it. We use abbreviation summation(φ) definedas μr.φ + [

∑] r. Note that in a boolean context formula summation(φ) can

be thought of as eventually(φ), with its usual interpretation, i.e., it resultsin 1 if φ gives 1 at least once. Thus we write:

∏u

¬({l}(u) | 1) → summation

(∑v

({G}(v, u) | 1)

)(8)

where ¬ is the c-semiring function that maps 0 into 1 and every value distinctfrom 0 to 0. The interpretation of formula (8) over the initial graph in Figure 5will range over its two nodes. It is easy to see that the antecedent of theimplication is 1 (since no l-edge is present), hence the whole property holdsonly if the consequent is 1 as well (because → is ≤S and 1 is the maximumof the c-semiring). According to the first two rewriting steps in Figure 5, theinitial graph eventually evolves to a graph containing gates connected to thatnodes, namely the consequent is evaluated to 1, as required.

Up to this point, all presented formulae have been purely boolean. We nowintroduce a formula concerning QoS aspects and whose interpretation mightreturn values different from 0 or 1. Assuming to be applied over a graphforming a ring (i.e., a cycle over R-edges), we consider the property obtainingthe highest available resource in the ring, i.e., the maximum over the weightsof non limited nodes.(∏

v

({l}(v) | 1) +∑

u

Γ(u) · ¬({l}(u) | 1)

)· (0H , +∞)

In the case of a ring with all limited nodes the result is +∞ (the last part of theformula (0H , +∞) simply selects the second component of the pair). Note that


we quantify over all nodes, but only those not being attached to a l-edge willbe relevant, since subformula ¬({l}(u) | 1) returns 1 for non limited nodes,and 0 otherwise. Then, for every node the value of the mentioned subformulais multiplied by the QoS of the node, i.e., by Γ(u). The first term of the

formula∏

v

({l}(v) | 1) is necessary for the case when all nodes are limited.

For example, interpreting this formula on the left-side ring of the last graphof Figure 5 gives (0H , 2). For the ring in the right side it is (0H , 3), and forthe middle ring it is (0H , +∞) given that all its nodes are limited.

Our last formula states a property that regards structure, behaviour andQoS aspects. As defined by production Create Gate, a new ring is createdwith a value u that will be the initial resource weight of non limited nodesof the ring (see Figure 4). We specify a formula yielding the best value (i.e.,the maximum) of the initial resource weight of every ring ever generated bythe derivations of an intial graph. First, we construct a formula to obtain theresource of a newly generated ring. This can be done by (9) looking over agraph containing a Ru0 -edge, and (10) after the next rewriting step looking atthe weight of the first attachment node of the R-edge that has replaced it:

resource≡∑w,v

({Ru0}(w, v) | 1) · (9)

([∑]({R}(w, v) | 1) · Γ(w)

). (10)

Then we use the abbreviation (summation(resource) · (0H , +∞)) which,actually, computes the best value of resource in every reachable state 5 . Thus,it expresses the desired property, i.e., the best initial resource value of everyring ever created. The interpretation of (summation(resource) · (0H , +∞))only to the derivation of Figure 5, finds the two new rings over which themaximum is chosen resulting in (0H , 3).

5.4 SHReQ logic in context

In the literature, several approaches propose spatio-temporal logics for sys-tems involving both structural and behavioural aspects. First, there are someapproaches to reason about rewriting systems. For instance, [22] and [2] pro-pose graph transition systems as modelling formalism for rewriting systems.The temporal and spatial aspects are treated differently. The logic of [22] com-bines the temporal logic LTL with second order quantification over nodes andregular expressions to express path properties, while [2] combines a μ-calculuswith the Monadic Second-Order (MSO) logic for graphs [11]. In contrast, we

5 We restrict the schemas to obtain a finite set of finite derivations from an initial graph.


interpret formulae directly over SHReQ rewriting systems and use a spatialapproach for the structural aspects.

Spatial logics are used to reason about the structure of models, such asheaps [23], trees [8], processes calculi [4,5,6] and graphs [7,12]. The commonconcept in such approaches is that if a notion of model composition exists(like parallel composition in process calculi or in graph grammar) one canreason about decompositions in the corresponding logic. The usual way isvia a composition operator |, where φ|ψ is satisfied by models that can bedecomposed in two sub-models, one satisfying φ and another one satisfying ψ.In graphs, composition is closely related with the second-order quantificationover set of edges used in MSO. Indeed, the expressive power of the fixpoint-freefragment of GL have been shown to be included in MSO [12]. The full logic,on the other hand, is able to express properties unlikely to be represented inMSO [12]. It is an open question whether GL subsumes MSO.

Spatial logics for process calculi [4,5,6] include mechanism to reason aboutname restriction and behaviour. Although node restriction is part of our graphmodel we neglect a mechanism to reason about hidden names for the sake ofsimplicity.

There are also approaches that interpret temporal logics over domainsdifferent than the usual boolean one, like boolean algebras [10] or probabil-ities [13]. There is also a vast number of works regarding the analysis andverification of systems where the focus is on probabilities and time. We citeamong others the work on CSL [1], a logic that combines these two aspects.Contrary to such works we do not concentrate on specific issues like time orprobabilities but rather consider an abstract representation of QoS by meansof a suitable algebraic structure. More precisely, our own contribution tothis field of quantitative logics is that we propose logics to be defined overconstraint-semirings, our formalism for QoS.

In sum, the main novelty of our logic is that it includes mechanisms toreason about structural, behavioural and (c-semiring modeled) QoS aspects.

6 Final Remarks

We have introduced a logic for reasoning about structural, behavioral andQoS aspects of SHReQ systems [19], a formal framework for specifying sys-tems handling abstract high-level QoS aspects. SHReQ combines SHR withc-semirings so that the former models mobility and reconfiguration of systemson top of the latter which provide both the mathematics for multi-criteria QoSand the underlying synchronisation policies. The logic for SHReQ subsumesand generalizes previous approaches for reasoning about graphs [17] and tran-


sition systems [21] with QoS. Significant fragments of both logics have beenshown to be decidable (for finite systems) and model checking algorithms pre-sented (see [21], for instance). A significant fragment, for instance, consistsof the special case when the c-semiring is a distributive lattice which occurswhen the multiplicative operation is idempotent. This is indeed the case ofour scenario. In such cases our full logic can be shown to be decidable forfinite state space SHReQ systems. The intuition is that, as shown in [21],fixpoints are defined over finite lattice, even if the domain of the c-semiringis infinite. Hence, fixpoint iteration algorithms can be applied. On the otherhand, if the c-semiring is not a distributive lattice, such algorithms cannot beapplied in general. For instance, [21] gives decidability results and algorithmsfor some fragments of the logic only. However, we believe to obtain positiveresults for most of the interesting properties one wishes to express in SHReQsystems. This issues will be subject of future research. Also, we plan to de-velop suitable verification techniques that exploit the expressivity of SHReQand its logic.

References

[1] C. Baier, B. Havekort, H. Hermanns, and J.-P. Katoen. Model checking continuous-timemarkov chains by transient analyisis. In Computer Aided Verification, volume 1855 of LNCS,pages 358–372. Springer Verlag, 2000.

[2] P. Baldan, A. Corradini, B. König, and B. König. Verifying a behavioural logic for graphtransformation systems. In CoMeta’03, ENTCS, 2004.

[3] S. Bistarelli, U. Montanari, and F. Rossi. Semiring-based constraint satisfaction andoptimization. JACM, 44(2):201–236, March 1997.

[4] L. Caires. Behavioral and spatial observations in a logic for the π-calculus. In FOSSACS’2004,volume 2987 of Lecture Notes in Computer Science, pages 72–87. Springer, 2004.

[5] L. Caires and L. Cardelli. A spatial logic for concurrency (part II). In Proceedings of the 13thInternational Conference on Concurrency Theory, pages 209–225. Springer-Verlag, 2002.

[6] L. Caires and L. Cardelli. A spatial logic for concurrency (part I). Inf. Comput., 186(2):194–235, 2003.

[7] L. Cardelli, P. Gardner, and G. Ghelli. A spatial logic for querying graphs. In ICALP’2002,volume 2380 of Lecture Notes in Computer Science, pages 597–610. Springer, 2002.

[8] L. Cardelli, P. Gardner, and G. Ghelli. Manipulating trees with hidden labels. In Foundationsof Software Science and Computation Structures (FOSSACS), Lecture Notes in ComputerScience, pages 216–232. Springer, 2003.

[9] I. Castellani and U. Montanari. Graph Grammars for Distributed Systems. In H. Ehrig,M. Nagl, and G. Rozenberg, editors, Proc. 2nd Int. Workshop on Graph-Grammars and TheirApplication to Computer Science, volume 153 of LNCS, pages 20–38. Springer, 1983.

[10] M. Chechik, S. Easterbrook, and A. Gurfinkel. Multi-valued symbolic model-checking. ACMTransactions on Software Engineering and Methodology, 12(4):371–408, 2003.

[11] B. Courcelle. Handbook of graph grammars and computing by graph transformations, volume1 : Foundations, chapter 5: The expression of graph properties and graph transformations inmonadic second-order logic, pages 313–400. World Scientific, 1997.


[12] A. Dawar, P. Gardner, and G. Ghelli. Expressiveness and complexity of graph logic. Technicalreport, Imperial College, Department of Computing, 2004.

[13] L. de Alfaro. Quantitative verification and control via the mu-calculus. In Proceedings of 14thInternational Conference on Concurrency Theory, volume 2761 of Lecture Notes in ComputerScience, pages 102–126. Springer, 2003.

[14] R. De Nicola, G. Ferrari, U. Montanari, R. Pugliese, and E. Tuosto. A Formal Basis forReasoning on Programmable QoS. In N. Dershowitz, editor, International Symposium onVerification – Theory and Practice – Honoring Zohar Manna’s 64th Birthday, volume 2772 ofLNCS, pages 436–479. Springer, 2003.

[15] P. Degano and U. Montanari. A model of distributed systems based on graph rewriting. JACM,34:411–449, 1987.

[16] E. Emerson. Descriptive Complexity and Finite Models, chapter Model Checking and theMu-Calculus. American Mathematical Society, 1997.

[17] G. Ferrari and A. Lluch-Lafuente. A logic for graphs with QoS. In 1st Workshop on ViewsOn Designing Complex Architectures (VODCA), Electronic Notes in Theoretical ComputerScience. Elsevier, 2004. To appear.

[18] D. Hirsch. Graph Transformation Models for Software Architecture Styles. PhD thesis,Departamento de Computación, UBA, 2003. http://www.di.unipi.it/̃ dhirsch.

[19] D. Hirsch and E. Tuosto. SHReQ: A framework for coordinating application level qos. In3rd IEEE International Conference on Software Engineering and Formal Methods (SEFM05),pages 425–434, Koblenz, Germany, September 2005. IEEE Computer Society Press.

[20] I. Lanese and U. Montanari. Synchronization algebras with mobility for graph transformations.In Proc. FGUC’04 – Foundations of Global Ubiquitous Computing, ENTCS, 2004. To appear.

[21] A. Lluch Lafuente and U. Montanari. Quantitative mu-calculus and ctl defined over constraintsemirings. TCS special issue on quantitative aspects of programming languages, 2005. Toappear.

[22] A. Rensink. Towards model checking graph grammars. In M. Leuschel, S. Gruner, and S. L.Presti, editors, Proceedings of the 3rd Workshop on Automated Verification of Critical Systems,Technical Report DSSE–TR–2003–2, pages 150–160. University of Southampton, 2003.

[23] J. Reynolds. Separation logic: A logic for shared mutable data structures. In LICS 2002, pages55–74, 2002.

[24] A. Tarski. A lattice-theoretical fixpoint theorem and its applications. Pacific Journal ofMathematics, 1955.

[25] E. Tuosto. Non-Functional Aspects of Wide Area Network Programming. PhD thesis,Dipartimento di Informatica, Università di Pisa, May 2003. TD-8/03.


IntroductionSyntax of GraphsThe Ring Case Study

Graphs and productions for SHReQWeighted graphsProductions for weighted graphsC-semirings and productions for the ring case study

Synchronised Rewriting for SHReQSHReQ SemanticsSHReQ for the ring case study

A Logic for SHReQLogic SyntaxSemanticsApplying the logicSHReQ logic in context

Final RemarksReferences

Documents

A Logic for Application Level QoS - CORE · A Logic for Application Level QoS 1,2 Dan Hirscha Alberto Lluch-Lafuentea Emilio Tuostob a Dipartimento di Informatica, University of Pisa